Avoiding the conventional hooks that enable most cyberattacks, native stealth capabilities deliver a reduced attack profile and can help organizations avoid the risk or fallout of a hack.
As businesses undertake the digital transformation, the
trends of cloud, mobility, and IoT converge. Organizations
need to take a holistic approach to protecting critical
systems and data, and an important area for attention is the
ability to reduce the network’s attack profile. By reducing
their exposure, businesses can mitigate the chances of a
cyber-attack being successful or even launched. Limiting
the available points in ingress, and obscuring those that
remain, significantly lessens the attack surface available for
potential hackers to exploit.
Conventional networking has progressively evolved, due to
a number of factors, to where is has essentially become a
collapsed, routed backbone with multiple virtual interfaces
that provide connectivity to a variety of user segments. In
practice, this is configured as multiple Virtual LANs (VLANs)
that support groups of users, each with a routed interface
(terminating on Virtual Routers). The Layer 3 engines at the
heart of the network populate tables with all known routes,
facilitating interconnectivity and creating a situation where
any-to-any communication is the necessary default behavior.
In larger networks, end-to-end connectivity is, in fact,
a series of hop-by-hop forwarding decisions. Being
IP-centric, the conventional network topology is very
easily and quickly mapped; this is good for network
management purposes, but a double-edged sword
insofar as it also presents an effective attack platform
for hackers. Being IP-centric, attacks can be launched
from any point within or external to the network.
In an effort to control what is, in effect, global any-to-any
reachability – rarely practical in and of itself – businesses
often chose to lock-down connectivity to selective paths
so that any-to-any doesn’t simply become a conduit
used by attackers. Options include using Access Control
Lists (ACLs) or distributed physical or virtual state-aware
firewalls to limited, for example, users-to-application, not
users-to-users. These measures can be expensive and are
always complex to plan, deploy, and maintain.
Limiting how much of the network is visible, and hardened
that which is, goes a long way to reducing the opportunities
presented to cyber-attackers. Proactively obscuring the
network, at and between access nodes, minimizing the
exposure profile and helps with defense-in-depth.
These characteristics combine to offer a prospective hacker
with little to exploit. Much of the network is hidden, and
that which remains visible is free of the hooks that make
conventional networks vulnerable.
Extreme delivers a distinctly new administrative and
operational experience. Being Ethernet-centric, the
Fabric Connect network topology is invisible from an IP
perspective; there are no inherent hop-by-hop IP paths to
trace, therefore the network topology cannot be traced
using remote IP-based tools.
Fabric Connect leverages a MAC-layer service identifier,
the Virtual Service Network ID, and this enables an IP-free
approach to traffic forwarding decision-making. This 24-bit
identity uniquely defines a particular service; delivering
hyper-scalability that exceeds 16 million entities. It is part
of the IEEE 802.1ah Header that encapsulates the standard
802.3 Header and datagram. The Header and identity are
applied at the edge of the domain. Intermediate nodes base
their forwarding decisions upon the shortest path/s to the
destination node, through a shared understanding of the
network topology, using the Destination Edge Bridge’s MAC
Address (again, part of the 802.1ah Header) as the directing
data point.
Traffic belonging to a specific service is encapsulated
with the appropriate header at the Edge, and remains
isolated from every other service/traffic, and opaque to
intermediate nodes. This mitigates the need for intranetwork ACLs and Firewalls; VSNs are oblivious to each
other, as are hosts on different VSNs, and there is no risk of
traffic blurring between VLANs or seeping through generic
routing tables.
Therefore, rather than conventional any-to-any, the entire
basis of connectivity becomes one-to-one or a series of
multiple ones-to-ones. In its simplest form – two devices
communicating with each other over the backbone –
connectivity is established by both being configured,
only at the Fabric Edge, as members of the same VSN.
Services, Layer 2 and Layer 3 VSNs, are a function of
explicit provisioning, and communication between different
services is blocked unless specifically enabled.
Edge-only provisioning completely removes any need for
service-specific configuration in the Core, or any other
intermediate Fabric Connect node; if a service is present on
just two nodes, then the necessary configuration appears
on only these two nodes, nowhere else, regardless of the
network topology or size. This completely revolutionizes
the configuration and change paradigm, from hop-by-hop
to end-to-end; configuration is vastly simplified and change
is de-risked.
Reduced Attack Profile
Cyber-attacks can originate from a variety of source: ranging
from nation-state players to the relatively unsophisticated
using tools shared or purchased via the Dark Web. However,
a Fabric Connect network, being Ethernet-centric, operates
a topology that is invisible from an Internet/IP perspective;
there are no contiguous hop-by-hop IP paths to trace,
therefore the network topology cannot be mapped using
IP-based hacking tools. This is a function of specific design
intent, delivering more than simple “security-through obscurity”, but conscious obfuscation of the network
topology, reachability, and services.
Network management is fully supported – indeed, additional Layer 2 tools are delivered – however, individual devices will only ever see, at most, the other hosts on their specific virtual segment. Individual Fabric Connect networking nodes are not, by default, visible to any host on any VSN; if enabled, ICMP would only show the VSN Edge nodes, but nothing of the inner network.
It is neither feasible nor desirable to pre-provision every possible application segment at every Edge node. Because individual networking sessions may last only minutes, hours, or perhaps days, Fabric Attach empowers network connectivity – VLAN, QoS, Policy, et al – to be dynamically extended to the Edge. What’s pertinent, in this scenario, is that service is automatically provisioned – “spun-up” if you will – without manual pre-configuration or intervention. Similarly, once a session terminates, the now-redundant networking configuration is automatically undone, removed from the Access node, and consigned to history.
These characteristics combine to offer a prospective hacker with little to exploit. Much of the network is hidden, and that which remains visible is free of the hooks that make conventional networks vulnerable.
Service Separation
Fabric Connect handles traffic forwarding in a
fundamentally unique way, building connectivity as a series
of isolated virtual networks that interconnect specifically provisioned end-points only. Traffic belonging to a specific
service is encapsulated with the appropriate header at
the Edge, and remains isolated – end-to-end across the
network – from unconnected service traffic and is also
opaque to intermediate network nodes.
Uniquely, Fabric Connect isolates foreign services from each other, delivering a true “ships-in-the-night” capability. This mitigates the need for intra-network ACLs and Firewalls; VSNs are oblivious to each other, as are hosts on different VSNs, and there is no risk of traffic blurring between VLANs or seeping via generic routing tables.
Edge-Only Provisioning
Network-wide segments are seamless, created with
simplified configuration commands on an Edge node.
Fabric Connect automatically permeates the configuration
throughout the network, eliminating error-prone and time consuming network-wide manual configuration practices.
Organizations are now able to add new services or make
changes to existing services in minutes rather than days,
weeks, or months.
Edge-only provisioning completely removes any need for service-specific configuration in the Core, or any other intermediate Fabric Connect node; if a service is present on just two nodes, then the necessary configuration appears on only these two nodes, nowhere else, regardless of the network topology or size. This completely revolutionizes the configuration and change paradigm, from hop-by-hop to end-to-end; configuration becomes vastly simplified and change is de-risked.
Fabric Attach facilitates the automatic attachment of authenticated end-point devices directly into their appropriate VSNs. Equally beneficial at both the Wiring Closet and Data Center edges, Fabric Attach supports dynamic service creation and removes the delays and risks associated with manually configuring conventional networks.
The world is on the verge of an unprecedented expansion in networked connectivity, driven by the combined forces of the Internet of Things and Smart infrastructures. No organization can afford to ignore the importance of protecting access to its network, applications, and information. Without proper controls, a breach of one device could provide a hacker with the virtual keys to the castle.
Extreme delivers technologies that help secure the
everywhere-perimeter. Organizations can significantly
reduce the level of network exposure and they can avoid
the chinks that are normally used for an exploit.
It has been said that there are two types of organization:
those that have been hacked and know it, and those that
have been hacked but do not know it. Hackers leverage
common IP-based tools and techniques in order to gain
entry and extract assets. Information-age organizations
can significantly reduce their exposure to and risk of
cyber-attack by ensuring that their network has a strong
foundation of native stealth capabilities. By reducing,
obscuring, or even avoiding the conventional pitfalls,
businesses can mitigate their exposure and focus their
specialist security efforts on those areas that do must
public. Native stealth capabilities deliver a reduced attack
profile and can help organizations avoid the risk or fallout
of a hack.
Empowering businesses to differentiate their critical
application and confidential data, to efficiently and with
massive scale partition the essential, and to obscure and
harden the network, provides a comprehensive security
foundation in an epoch of cyber-attack and IoT.
Extreme delivers is a solution set of next-generation
capabilities that address the challenges of the everywhereperimeter. It provides a foundational layer for the
specialist security services employed today, enabling
their effectiveness to be maximized. Extreme leverages
a shared control plane that seamlessly manages hypersegmentation, native stealth, and automatic elasticity
across the organization. Using software-defined and
identity technologies to automate onboarding and access
from users, devices, networking nodes, and servers,
Extreme makes protecting and managing everywhereaccess practical.
To learn more about Extreme Networking, and to obtain additional information such as white papers and case studies, please contact your Extreme Account Manager or Authorized Partner or visit us at www.extremenetworks.com.